SOC 2 Complete Toolkit — 22 editable SOC 2 Trust Services Criteria document templates in Word and Excel
SOC 2 Trust Services CriteriaSaaS & technology companies

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

New to SOC 2 Trust Services Criteria? Read our SOC 2 Trust Services Criteria guide →

What's inside — 22 documents + 3 workbooks

  1. Information Security Policy (.docx)
  2. Code of Conduct and Ethics Policy (.docx)
  3. Governance and Organizational Structure Policy (.docx)
  4. Human Resources Security Policy (.docx)
  5. Risk Assessment Procedure (.docx)
  6. Vendor and Business Partner Management Policy (.docx)
  7. Access Control Policy (.docx)
  8. Physical Security Policy (.docx)
  9. Data Classification and Handling Policy (.docx)
  10. Encryption and Key Management Policy (.docx)
  11. Network and Endpoint Security Policy (.docx)
  12. Vulnerability Management Procedure (.docx)
  13. Monitoring and Logging Policy (.docx)
  14. Security Incident Response Plan (.docx)
  15. Change Management Policy (.docx)
  16. Secure Software Development Policy (.docx)
  17. Business Continuity and Disaster Recovery Plan (.docx)
  18. Availability and Capacity Management Policy (.docx)
  19. Data Retention and Disposal Policy (.docx)
  20. Security Awareness and Training Policy (.docx)
  21. Communication and Information Policy (.docx)
  22. AI Acceptable Use Policy (.docx)

Excel workbooks

  • Risk Register (Excel)
  • SOC 2 TSC Control Mapping — all 38 criteria (Excel)
  • Audit Evidence Checklist (Excel)
What's inside the SOC 2 Complete Toolkit — 22 compliance document templates
A look at what's inside the toolkit.

See the real content before you buy

We publish genuine excerpts — not marketing mockups. Read the opening sections of the Information Security Policy exactly as you'll receive it:

Read the free preview

Frequently asked questions

Which Trust Services Criteria does this SOC 2 toolkit cover?
The policies map to the AICPA Trust Services Criteria, with an Excel control-mapping workbook covering the Security (Common Criteria) set and supporting the Availability, Confidentiality, Processing Integrity and Privacy categories where they are in your audit scope.
Is this for a SOC 2 Type I or a Type II report?
Both. The documentation establishes the control environment a Type I examines at a point in time and a Type II examines over a period. You operate the controls; a licensed CPA firm performs the examination and issues the report.
Will buying this make us SOC 2 compliant?
SOC 2 is an independent CPA firm’s attestation, not something a document pack confers. This toolkit gives you the policy and evidence-mapping foundation auditors request first, so your readiness work is faster and far cheaper than starting from scratch.
What format are the files and how are they delivered?
Editable Microsoft Word (.docx) and Excel (.xlsx) files, delivered as an instant download immediately after checkout. Organization-specific values are amber [bracketed placeholders] you replace with find-and-replace.
What licence do I get?
A single-organization licence. If you are a consultant or MSP intending to reuse the documents across multiple clients, contact us first for a fair multi-client arrangement.
$99

Secure Stripe checkout · instant download · no account required

By completing your purchase you agree to our Terms & License and Privacy Policy.

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.